US20120117379A1

Movatterモバイル変換

Info

Publication number: US20120117379A1
Application number: US12/939,377
Authority: US
Inventors: Peter M. Thornewell; Christopher R. Baker
Original assignee: F5 Networks Inc
Current assignee: F5 Inc
Priority date: 2010-11-04
Filing date: 2010-11-04
Publication date: 2012-05-10
Also published as: CN202524399U; EP2636209A1; WO2012060953A1; US9106699B2

Abstract

A method, computer readable medium, and device for handling requests between different resource record types includes receiving at a traffic management device a first resource record type from one or more server devices in response to a request from a client device. The traffic management device validates the first resource record type, and creates a second resource record type corresponding to the first resource record type after the validating. Signing the second resource record type at the traffic management device is carried out for servicing the request from the client device.

Description

TECHNOLOGICAL FIELD

This technology generally relates to network communications, and more particularly, to systems and methods for handling requests between different resource record types.

BACKGROUND

Computer networks (e.g., the Internet) are making a slow and painful transition from Internet Protocol version 4 (IPv4) to Internet Protocol version 6 (IPv6): slow because deploying IPv6 is most useful if all network devices deploying IPv6 (the “network effect”) and painful because it requires software and/or hardware updates. One example solution is DNS64 that is an exemplary mechanism for synthesizing AAAA resource records (or, quad-A records) used in IPv6 from A records used in IPv4. However, a downstream validator will mark a synthesized AAAA resource record type as invalid if DNS64 software, which is positioned between the DNS client requesting an AAAA resource record address and a DNS server, has performed the synthesis of the AAAA resource record, but cannot sign the synthesized AAAA resource record. This happens because conventional technologies do not validate the synthesized AAAA resource record. When conversion to IPv6 (for the AAAA response from an A response, which is a different resource record type from the AAAA response) is performed, the original Resource Record Signature (RRSIG) associated with the IPv4 A resource record type becomes invalid. As a result, conventional implementations of DNS64 break Domain Name System Security Extensions (DNSSEC). Unfortunately, using conventional technology invalidated AAAA resource record responses are obtained that pose security threat for client devices requesting the resource records, and defeat the purpose of DNSSEC itself.

SUMMARY

One example of the technology is a method for handling requests between different resource record types. The method includes receiving at a traffic management device a first resource record type from one or more server devices in response to a request from a client device. The traffic management device validates the first resource record type, and creates a second resource record type corresponding to the first resource record type after the validating. Signing the second resource record type at the traffic management device is carried out for servicing the request from the client device.

Another example includes a computer readable medium having stored thereon instructions for handling requests between different resource record types, which when executed by at least one processor, causes the processor to perform a number of steps. The steps include receiving at a traffic management device a first resource record type from one or more server devices in response to a request from a client device. Additionally, the steps include validating at the traffic management device the first resource record type, and creating a second resource record type corresponding to the first resource record type after the validating. Signing the second resource record type at the traffic management device is carried out for servicing the request from the client device.

Another example is that of a traffic management device, which includes one or more processors executing one or more traffic management applications, a memory coupled to the one or more processors by a bus, a network interface controller coupled to the one or more processors and the memory and configured to receive data packets from a network that relate to the executing traffic management applications, and handle requests between different resource record types. In this example, at least one of the one or more processors is configured to execute programmed instructions stored in the memory and the network interface controller including logic capable of being further configured to implement receiving at a traffic management device a first resource record type from one or more server devices in response to a request from a client device. The implementation includes validating at the traffic management device the first resource record type, and creates a second resource record type corresponding to the first resource record type after the validating. Signing the second resource record type at the traffic management device is carried out for servicing the request from the client device.

The examples offer numerous advantages for secure handling of requests and conversion to requests from one resource record type to another dynamically in real-time or “on-the-fly.” By way of example only, technology disclosed enables real-time dynamic deployment of DNSSEC proxy for DNS64 by which a complete trust relationship or a chain of trust between IPv4 environment and IPv6 environment is maintained. Even when an AAAA record is synthesized by the DNS64 device (e.g., a traffic management device), the chain of trust is maintained since the synthesized AAAA record is validated by attaching a signature at the DNS64 device where such synthesis occurs. Therefore, such a validation of the synthesized or created AAAA resource record, which is an exemplary resource record type, when the requested resource record type is not obtained from servers, enables valid responses to requests, and thereby complies with DNSSEC for the responding devices (e.g., servers). It is to be noted although AAAA and A resource record types are being discussed in the examples, the technology is applicable to other types of resource records including but not limited to Andrew File System Database (AFSDB) records, Canonical Name records (CNAME), Host Information (HINFO) records, Integrated Services Digital Network (ISDN) records, Location (LOC) records, Mail Exchanger (MX) records, Mail Group (MG) records, Mailbox (MB) records, Mailbox Information (MINFO) records, Mailbox Rename (MR) records, Name Server (NS) records, Network Service Access Protocol (NSAP) records, Public Key (KEY) records, Responsible Person (RP) records, Reverse-lookup Pointer (PTR) records, Route Through (RT) records, Start of Authority (SOA) records, Text (TXT) records, Well-Known Services (WKS) records, X.400 Address Mapping (PX) records, X25 Address Mapping (X25) records, and the like. These and other advantages, aspects, and features will become more apparent from the following detailed description when viewed in conjunction with the accompanying drawings. Non-limiting and non-exhaustive examples are described with reference to the following drawings. Accordingly, the drawings and descriptions below are to be regarded as illustrative in nature, and not as restrictive or limiting.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates an exemplary network system environment using a traffic management device for handling requests between different resource record types;

FIG. 2 is a partly schematic and partly functional block diagram of the traffic management device in the exemplary network environment ofFIG. 1; and

FIG. 3 is a flow chart of an exemplary process and method for handling requests between different resource record types.

DETAILED DESCRIPTION

Various examples of the technology disclosed enable atraffic management device110 to handle requests from client devices that are of a first resource record type and service those requests based upon the responses from server devices that are of a different or of second resource record type. For example, client devices operating in an IPv6 only environment need to communicate with servers operating in an IPv4 only environment.Traffic management device110 provides validating of responses, synthesized at thetraffic management device110, or received from servers, in response to the requests. In one example,traffic management device110 validates AAAA resource record types for IPv6 client devices, which AAAA resource records are created at thetraffic management device110 itself when there is an IPv4 A resource record type response from the servers, such that the synthesized AAA resource record type corresponds to the A resource record type received by thetraffic management110.

Referring toFIG. 1, anexemplary network system100 includingtraffic management device110 that is configured to handle requests between different resource record types is illustrated. By way of example only, anetwork112 can receive requests and provide responses according to the Hyper-Text Transfer Protocol (HTTP) based application, various request for comments (RFC) document guidelines or the Common Internet File System (CIFS) or network file system (NFS) protocol in this example, although the principles discussed herein are not limited to these examples and can include other application protocols and other types of requests (e.g., File Transfer Protocol (FTP) based requests). Theexemplary network system100 can include a series of one or more client devices such as client computers104(1) to104(n). Client computers104(1)-104(n) are coupled totraffic management device110 via a plurality ofload balancing devices106, including load balancing devices106(1)-106(n), each having a unique network address based upon the resource record type format (e.g., a unique 128 bit IPv6 address).Traffic management device110 is interposed in between servers102(1) to102(n) and the client devices104(1) to104(n) for providing one or more communication channels throughnetwork112 and a Local Area Network (LAN)114, although other communication channels may be directly established between various devices innetwork system100 withoutnetwork112 and/orLAN114. For clarity and brevity, inFIG. 1 two server devices102(1) and102(n) are shown, but it should be understood that any number of server devices can use theexemplary network system100. Likewise, three client devices104(1),104(2),104(n) and onetraffic management device110 are shown inFIG. 1, but any number of client devices and traffic management devices can also use theexemplary network system100 as well. Althoughnetwork112 andLAN114 are shown, other numbers and types of networks could be used. The ellipses and the designation “n” denote an unlimited number of server devices and client devices, respectively.

Servers102(1)-102(n) (also referred to as server devices102(1)-102(n)) comprise one or more server computing machines or devices capable of operating one or more Web-based applications that may be accessed by network devices in thenetwork112, such as client computers104(1)-104(n), via the plurality ofload balancers106 andtraffic management device110, and may provide other data representing requested resources, such as domain name services and zones, particular Web page(s) corresponding to URL request(s), image(s) of physical objects, and any other objects, responsive to the requests, although the servers102(1)-102(n) may perform other tasks and provide other types of resources. In this example, at least one of the servers102(1)-102(n) is an IPv4 only device that caters to various requests made by client computers104(1)-104(n). Alternatively or generally, servers102(1)-102(n) can be a set of devices providing resource record responses that are of a different type from the resource record types requested and handled by client computers104(1)-104(n). It should be noted that while only two servers102(1) and102(n) are shown in thenetwork system100 depicted inFIG. 1, other numbers and types of servers may be coupled to thetraffic management device110. It is also contemplated that one or more of the servers102(1)-102(n) may be a cluster of servers managed by a network traffic management device such astraffic management device110.

The client computers104(1)-104(n) in this example (also interchangeably referred to as client devices104(1)-104(n), client computing devices104(1)-104(n), clients104(1)-104(n), and client computing systems104(1)-104(n)) can run interface applications such as Web browsers that can provide an interface to make requests for and send data, including IPv6 requests, to different Web server-based applications via one or more load balancing devices106(1)-106(n) connected to thenetwork112 and/or viatraffic management device110. A series of network applications can run on the servers102(1)-102(n) that allow the transmission of data that is requested by the client computers104(1)-104(n). Servers102(1)-102(n) can provide data or receive data in response to requests directed toward the respective applications on the servers102(1)-102(n) from the client computers104(1)-104(n). For example, as per the Transmission Control Protocol (TCP), packets can be sent to the servers102(1)-102(n) from the requesting client computers104(1)-104(n) to send data, although other protocols (e.g., FTP) may be used. It is to be understood that the servers102(1)-102(n) can be hardware or software executing on and supported by hardware, or can represent a system with multiple servers, which can include internal or external networks. Servers102(1)-102(n) can be domain name servers with Domain Name System (DNS) capabilities hosting one or more website zones.

Generally, the client devices such as the client computers104(1)-104(n) can include virtually any computing device capable of connecting to another computing device to send and receive information, including Web-based information. The set of such devices can include devices that typically connect using a wired (and/or wireless) communications medium, such as personal computers (e.g., desktops, laptops), mobile and/or smart phones and the like, as illustrated inFIG. 1. For example, client device104(2) is a mobile telephone device or a smart-phone with network capabilities in addition to audio capabilities. In this example, the client devices can run browsers and other types of applications (e.g., web-based applications) that can provide an interface to make one or more requests to different server-based applications vianetwork112, although requests for other types of network applications and resources, for example URLs, may be made by client computers104(1)-104(n). Client computers104(1)-104(n) can be configured to make IPv6 AAAA resource record type requests to servers102(1)-102(n), via various types of traffic management devices (e.g., routers, load balancers, application delivery controllers, and the like).

Client computers104(1)-104(n) can submit requests through the plurality ofload balancing devices106 that forward the request to a local or a globaltraffic management device110 for analysis, as will be discussed below. In one example load balancing devices106(1)-106(n) are NAT64 devices, although other types of load balancers with Network Address Translation (NAT) capabilities and/or additional capabilities may be used, as can be contemplated by one of ordinary skill in the art after reading this disclosure. In some examples,traffic management device110 may be a part of the plurality ofload balancing devices106.

A series of Web-based and/or other types of protected and unprotected network applications can run on servers102(1)-102(n) that allow the transmission of data that is requested by the client computers104(1)-104(n). The client computers104(1)-104(n) can be further configured to engage in a secure communication directly with thetraffic management device110 and/or the servers102(1)-102(n), via plurality ofload balancing devices106, Local Domain Name Servers (LDNSs), or otherwise, using mechanisms such as Secure Sockets Layer (SSL), Internet Protocol Security (IPSec), Transport Layer Security (TLS), and the like.

In this example,network112 comprises a publicly accessible network, such as the Internet, which includes client computers104(1)-104(n), althoughnetwork112 may comprise other types of private and public networks that include other devices. Communications, such as requests from client computers104(1)-104(n) and responses from servers102(1)-102(n), take place overnetwork112 according to standard network protocols, such as the HTTP and TCP/IP protocols in this example, but the principles discussed herein are not limited to this example and can include other protocols (e.g., FTP). Further,network112 can include local area networks (LANs), wide area networks (WANs), direct connections, other types and numbers of network types, and any combination thereof. On an interconnected set of LANs or other networks, including those based on different architectures and protocols, routers, switches, hubs, gateways, bridges, crossbars, and other intermediate network devices may act as links within and between LANs and other networks to enable messages and other data to be sent from and to network devices. Also, communication links within and between LANs and other networks typically include twisted wire pair (e.g., Ethernet), coaxial cable, analog telephone lines, full or fractional dedicated digital lines including T1, T2, T3, and T4, Integrated Services Digital Networks (ISDNs), Digital Subscriber Lines (DSLs), wireless links including satellite links, optical fibers, and other communications links known to those of ordinary skill in the relevant arts. Generally,network112 includes any communication medium and method by which data may travel between client devices104(1)-104(n), servers102(1)-102(n), andtraffic management device110, and these devices are provided by way of example only.

In this example, each of the servers102(1)-102(n),traffic management device110, load balancingdevices106, and client computers104(1)-104(n) can include a central processing unit (CPU), controller or processor, a memory, and an interface system which are coupled together by a bus or other link, although other numbers and types of each of the components and other configurations and locations for the components can be used. Since these devices are well known to those of ordinary skill in the relevant art(s), they will not be described in further detail herein.

In addition, two or more computing systems or devices can be substituted for any one of the systems in thenetwork system100. Accordingly, principles and advantages of cloud computing and/or distributed processing, such as redundancy, replication, virtualization, and the like, can also be implemented, as appropriate, to increase the robustness and performance of the devices and systems of thenetwork system100. Thenetwork system100 can also be implemented on a computer system or systems that extend across any network environment using any suitable interface mechanisms and communications technologies including, for example telecommunications in any suitable form (e.g., voice, modem, and the like), Public Switched Telephone Network (PSTNs), Packet Data Networks (PDNs), the Internet, intranets, combination(s) thereof, and the like.

By way of example only and not by way of limitation,LAN114 comprises a private local area network that includes thetraffic management device110 coupled to the one or more servers102(1)-102(n), although theLAN114 may comprise other types of private and public networks with other devices. Networks, including local area networks, besides being understood by those of ordinary skill in the relevant art(s), have already been described above in connection withnetwork112, and thus will not be described further here.

As shown in the example environment ofnetwork system100 depicted inFIG. 1, thetraffic management device110 can be interposed between thenetwork112 and the servers102(1)-102(n) coupled viaLAN114 as shown inFIG. 1. Alternatively,traffic management device110 may be a part of the plurality ofload balancing devices110 at the periphery ofnetwork112 and coupled toLAN114 and/or servers102(1)-102(n). Again, thenetwork system100 could be arranged in other manners with other numbers and types of devices. Also, thetraffic management device110 is coupled tonetwork112 by one or more network communication links, and intermediate network devices, such as routers, switches, gateways, hubs, crossbars, and other devices. It should be understood that the devices and the particular configuration shown inFIG. 1 are provided for exemplary purposes only and thus are not limiting. Although a singletraffic management device110, additional traffic management devices may be coupled in series and/or parallel to thetraffic management device110, thereby forming a cluster, depending upon specific applications, and the singletraffic management device110 shown inFIG. 1 is by way of example only, and not by way of limitation.

Generally, thetraffic management device110 manages network communications, which may include one or more client requests and server responses, to/from thenetwork112 between the client computers104(1)-104(n) and one or more of the servers102(1)-102(n) inLAN114 in these examples. These requests may be destined for one or more servers102(1)-102(n), and, as alluded to earlier, may take the form of one or more TCP/IP data packets originating from thenetwork112, passing through one or more intermediate network devices and/or intermediate networks, until ultimately reaching thetraffic management device110, for example. When originating at client computers104(1)-104(n), these requests are in a first resource record type format (e.g., IPv6 quad-A resource record type request or query), which requests are serviced by servers102(1)-102(n) which provide responses in a different type of resource record format (e.g., IPv4 A resource record type response).

In one example,traffic management device110 is configured as a global server load balancing device to distribute end-user application requests based on business policies, data center conditions, network conditions, user location, and application performance, such that each request from client computers104(1)-104(n) is automatically directed to the closest or best-performing data center hosting one or more servers102(1)-102(n). Although in this example,traffic management device110 has global server load balancing capabilities, in alternative examplestraffic management device110 may be a local traffic management device that receives responses from a global server load balancing (GSLB) device coupled toLAN114. By way of example only, such a global load balancing device can be a BIG-IP® Global Traffic Manager™ provided by F5 Networks, Inc., of Seattle, Wash. Further, it is to be noted althoughtraffic management device110 is shown separate from the plurality ofload balancing devices106, in some examplestraffic management device110 can itself be one of the plurality ofload balancing devices106.

In addition, as discussed in more detail with reference toFIGS. 2-3,traffic management device110 is configured to handle requests between different resource record types (e.g., IPv6 quad-A requests for IPv4 A resource records from servers102(1)-102(n)). In any case, thetraffic management device110 may manage the network communications by performing several network traffic management related functions involving network communications, secured or unsecured, such as load balancing, access control, VPN hosting, network traffic acceleration, encryption, decryption, cookie, and key management and providing authenticated domain name service in accordance with the systems and processes described further below in connection withFIGS. 2-3, for example.

Referring toFIG. 2, an exemplarytraffic management device110 is illustrated. Included within thetraffic management device110 is a system bus26 (also referred to as bus26) that communicates with ahost system18 via abridge25 and with an input-output (I/O)device30. In this example, a single I/O device30 is shown to represent any number of I/O devices connected tobus26. In one example,bridge25 is in further communication with ahost processor20 via host input output (I/O)ports29.Host processor20 can further communicate with anetwork interface controller24 via aCPU bus202, a host memory22 (via a memory port53), and acache memory21. As outlined above, included within thehost processor20 are host I/O ports29,memory port53, and a main processor (not shown separately). In this example,host system18 includes avalidation module208 that includes algorithms and instructions/code stored thereupon to validate and sign resource records created at thetraffic management device110 by attaching resource record signatures (RRSIGs) to the synthesized resource record types (e.g., synthesized IPv6 AAAA resource record types). It is to be notedvalidation module208 may be implemented as hardware logic circuitry, or as a combination of logic circuitry with code executing thereupon. Further, althoughvalidation module208 is illustrated as a single module/block, the functionality ofvalidation module208 can be implemented in a distributed manner among various components oftraffic management device110. Furthermore,validation module208 may be implemented as a standalone device that can be directly interfaced withtraffic management device110 via standard interface ports.

In one example,traffic management device110 can include thehost processor20 characterized by anyone of the following component configurations: computer readable medium and logic circuits that respond to and process instructions fetched from thehost memory22; a microprocessor unit, such as: those manufactured by Intel Corporation of Santa Clara, Calif.; those manufactured by Motorola Corporation of Schaumburg, Ill.; those manufactured by Transmeta Corporation of Santa Clara, Calif.; the RS/6000 processor such as those manufactured by International Business Machines of Armonk, N.Y.; a processor such as those manufactured by Advanced Micro Devices of Sunnyvale, Calif.; or any other combination of logic circuits capable of executing the systems and methods described herein. Still other examples of thehost processor20 can include any combination of the following: a microprocessor, a microcontroller, a central processing unit with a single processing core, a central processing unit with two processing cores, or a central processing unit with more than one processing core.

Examples of thetraffic management device110 include one or more application delivery controller devices of the BIG-IP® product family provided by F5 Networks, Inc. of Seattle, Wash., although other types of traffic management devices may be used. In an exemplary structure and/or arrangement,traffic management device110 can include thehost processor20 that communicates withcache memory21 via a secondary bus also known as a backside bus, while another example of thetraffic management device110 includes thehost processor20 that communicates withcache memory21 via thesystem bus26. Thelocal system bus26 can, in some examples, also be used by thehost processor20 to communicate with more than one type of I/O devices30. In some examples, thelocal system bus26 can be anyone of the following types of buses: a VESA VL bus; an ISA bus; an EISA bus; a Micro Channel Architecture (MCA) bus; a PCI bus; a PCI-X bus; a PCI-Express bus; or a NuBus. Other example configurations of thetraffic management device110 include I/O device30 that is a video display (not shown separately) that communicates with thehost processor20 via an Advanced Graphics Port (AGP). Still other versions of thetraffic management device110 includehost processor20 connected to I/O device30 via any one or more of the following connections: HyperTransport, Rapid I/O, or InfiniBand. Further examples of thetraffic management device110 include a communication connection where thehost processor20 communicates with one I/O device30 using a local interconnect bus and with a second I/O device (not shown separately) using a direct connection. As described above, included within some examples of thetraffic management device110 is each ofhost memory22 andcache memory21. Thecache memory21, will, in some examples, be any one of the following types of memory: SRAM; BSRAM; or EDRAM. Other examples includecache memory21 andhost memory22 that can be anyone of the following types of memory: Static random access memory (SRAM), Burst SRAM or SynchBurst SRAM (BSRAM), Dynamic random access memory (DRAM), Fast Page Mode DRAM (FPM DRAM), Enhanced DRAM (EDRAM), Extended Data Output RAM (EDO RAM), Extended Data Output DRAM (EDO DRAM), Burst Extended Data Output DRAM (BEDO DRAM), Enhanced DRAM (EDRAM), synchronous DRAM (SDRAM), JEDECSRAM, PCIOO SDRAM, Double Data Rate SDRAM (DDR SDRAM), Enhanced SDRAM (ESDRAM), SyncLink DRAM (SLDRAM), Direct Rambus DRAM (DRDRAM), Ferroelectric RAM (FRAM), or any other type of memory device capable of executing the systems and methods described herein.

Thehost memory22 and/or thecache memory21 can, in some examples, include one or more memory devices capable of storing data and allowing any storage location to be directly accessed by thehost processor20. Such storage of data can be in a local database internal totraffic management device110, or external totraffic management device110 coupled via one or more input output ports ofnetwork interface controller24. Further examples oftraffic management device110 include ahost processor20 that can access thehost memory22 via one of either:system bus26;memory port53; or any other connection, bus or port that allows thehost processor20 to accesshost memory22.

One example of thetraffic management device110 provides support for anyone of the following installation devices: ZIP disks, a CD-ROM drive, a CD-R/RW drive, a DVD-ROM drive, USB device, a bootable medium, a bootable compact disk (CD) used, for example, for GNU/Linux distribution such as KNOPPIX®, a hard-drive or any other device suitable for installing applications or software. Applications can, in some examples, include a client agent, or any portion of a client agent. Thetraffic management device110 may further include a storage device (not shown separately) that can be either one or more hard disk drives, or one or more redundant arrays of independent disks (RAID); where the storage device is configured to store an operating system, software, programs applications, or at least a portion of the client agent. A further example of thetraffic management device110 includes an installation device that is used as the storage device.

Furthermore, thetraffic management device110 can includenetwork interface controller24 to communicate, via an input-output port insidenetwork interface controller24, with a Local Area Network (LAN), Wide Area Network (WAN) or the Internet through a variety of connections including, but not limited to, standard telephone lines, LAN or WAN links (e.g., 802.11, T1, T3, 56 kb, X.25, SNA, DECNET), broadband connections (e.g., ISDN, Frame Relay, ATM, Gigabit Ethernet, Ethernet-over-SONET), wireless connections, optical connections, or some combination of any or all of the above. Connections can also be established using a variety of communication protocols (e.g., TCP/IP, IPX, SPX, NetBIOS, Ethernet, ARCNET, SONET, SDH, Fiber Distributed Data Interface (FDDI), RS232, RS485, IEEE 802.11, IEEE 802.11a, IEEE 802.11b, IEEE 802.11g, CDMA, GSM, WiMax and direct asynchronous connections). One version of thetraffic management device110 includesnetwork interface controller24 configured to communicate with additional computing devices via any type and/or form of gateway or tunneling protocol such as Secure Socket Layer (SSL) or Transport Layer Security (TLS), or the Citrix Gateway Protocol manufactured by Citrix Systems, Inc. of Fort Lauderdale, Fla. Versions of thenetwork interface controller24 can comprise anyone of: a built-in network adapter; a network interface card; a PCMCIA network card; a card bus network adapter; a wireless network adapter; a USB network adapter; a modem; or any other device suitable for interfacing thetraffic management device110 to a network capable of communicating and performing the methods and systems described herein.

In various examples, thetraffic management device110 can include any one of the following I/O devices30: a keyboard; a pointing device; a mouse; a gesture based remote control device; a biometric device; an audio device; track pads; an optical pen; trackballs; microphones; video displays; speakers; or any other input/output device able to perform the methods and systems described herein. Host I/O ports29 may in some examples connect to multiple I/O devices30 to control the one or more I/O devices30. Some examples of the I/O devices30 may be configured to provide storage or an installation medium, while others may provide a universal serial bus (USB) interface for receiving USB storage devices such as the USB Flash Drive line of devices manufactured by Twintech Industry, Inc. Still other examples of an I/O device30 may bebridge25 between thesystem bus26 and an external communication bus, such as: a USB bus; an Apple Desktop Bus; an RS-232 serial connection; a SCSI bus; a FireWire bus; a FireWire 800 bus; an Ethernet bus; an AppleTalk bus; a Gigabit Ethernet bus; an Asynchronous Transfer Mode bus; a HIPPI bus; a Super HIPPI bus; a SerialPlus bus; a SCI/LAMP bus; a FibreChannel bus; or a Serial Attached small computer system interface bus. According to some examples,traffic management device110 includesvalidation module208 integrated as part ofhost system18 for carrying out various exemplary functions of signing resource record types (e.g., AAAA resource records) created attraffic management device110 using, by way of example only, public key cryptography.

Accordingly, components oftraffic management device110 include one or more processors (e.g., host processor20) executing one or more traffic management applications, memory (e.g.,cache memory21, and/or host memory22) coupled to the one or more processors by a bus,network interface controller24 coupled to the one or more processors and thehost memory22 and configured to receive data packets from a network that relate to the executing traffic management applications, and handle requests from client computers104(1)-104(n) for a first resource record type, which requests are serviced by servers102(1)-102(n) by way of responses in a second and different resource record type. In this example, at least one of the one or more processors is configured to execute programmed instructions stored in the memory (e.g.,cache memory21, and/or host memory22) and thenetwork interface controller24 including logic capable of being further configured to implement receiving at a traffic management device a first resource record type from one or more server devices in response to a request from a client device. The implementation includes validating at the traffic management device the first resource record type, and creates a second resource record type corresponding to the first resource record type after the validating. Signing the second resource record type at the traffic management device (e.g., by validation module208) is carried out for servicing the request from the client device.

The operation of example processes for handling requests between different resource record types (e.g., for providing DNSSEC proxy for DNS64) using, for example,traffic management device110 shown inFIGS. 1-2, will now be described with reference back toFIGS. 1-2 in conjunction with flow diagram orflowchart300 shown inFIG. 3, respectively. Theflowchart300 is representative of example machine readable instructions for implementing in dynamic real-time handling requests between different resource record types, for example, at thetraffic management device110. In this example, the machine readable instructions comprise an algorithm for execution by: (a) a processor (e.g., host processor20), (b) a controller, and/or (c) one or more other suitable processing device(s) withinhost system18, for example. The algorithm may be implemented in software stored on tangible computer readable media such as, for example, a flash memory, a CD-ROM, a floppy disk, a hard drive, a digital video (versatile) disk (DVD), or other memory devices, but persons of ordinary skill in the art will readily appreciate that the entire algorithm and/or parts thereof could alternatively be executed by a device other than a processor and/or implemented in firmware or dedicated hardware in a well known manner (e.g., it may be implemented by an application specific integrated circuit (ASIC), a programmable logic device (PLD), a field programmable logic device (FPLD), a field programmable gate array (FPGA), discrete logic, or the like). For example, at least some of the components of thetraffic management device110 could be implemented by software, hardware, and/or firmware. Also, some or all of the machine readable instructions represented by the process offlowchart300 ofFIG. 3 may be implemented manually at thetraffic management device110, for example, using a command line interface (CLI) prompt window operated by a system administrator. Further, although the example algorithm is described with reference toflowchart300, persons of ordinary skill in the art will readily appreciate that many other methods of implementing the example machine readable instructions may alternatively be used. For example, the order of execution of the blocks inflowchart300 may be changed, and/or some of the blocks described may be changed, eliminated, or combined.

Referring toFIG. 3, instep302 of theflowchart300,traffic management device110 receives a request from one of client computers104(1)-104(n). Generally, requests from client computers104(1)-104(n) are for a resource record type that is different from a resource record type provided by one or more servers102(1)-102(n) in response to the requests. In one example, the request from the client computers104(1)-104(n) is a 128 bit IPv6 request or query (also referred to as a quad A or ‘AAAA’ request or query) for a resource provided by IPv4 devices (e.g., one or more servers102(1)-102(n), the resource also referred to as an ‘A’ record that is a 32-bit IPv4 address). Since respective standard formats of IPv6 AAAA and IPv4 A resource record requests/query are known to those of ordinary skill in the art, they are not being described herein in detail. Further, other types of resource records may be used and IPv4 and IPv6 resource records are being discussed by way of example only, and not by way of limitation.

Instep304,traffic management device110 forwards the received IPv6 request, e.g., in AAAA resource record format, to one of the servers102(1)-102(n) after removing bits and/or headers to convert the request into an IPv4 request for an A resource record that can be understood by servers102(1)-102(n). The removed bits and/or headers can at least partially be a part of a the 96-bit prefix that forms the IPv6 address. Since servers102(1)-102(n) do not understand the IPv6 address format and are instead in an IPv4 network environment, removal of the prefix bits is useful in directing the request from the client computers104(1)-104(n) to the appropriate one or more of servers102(1)-102(n).

Instep306,traffic management device110 receives a response from one of servers102(1)-102(n) along with a resource record signature (RRSIG) associated with that response. The received response is validated for signature, for example, to determine it was from a trusted source among servers102(1)-102(n). Validation can be performed, for example, using public key cryptography infrastructure implemented byvalidation module208 intraffic management device110, although other techniques for validation may be used.

Instep308,traffic management device110 determines whether the received resource record type in the response is same as resource record type requested by the client device. When the resource record type of the received response is same as the resource record type requested, the flow proceeds to step314 wheretraffic management device110 forwards the received response after validation to the requesting one of client computers104(1)-104(n). For example, if the received response is an IPv6 AAAA type response,traffic management device110 simply forwards the response to the requesting one of the client computers104(1)-104(n).

However, instep310, when the response includes one or more address records in a different resource record type format (e.g., an IPv4 format or, an A resource record),traffic management device110 creates a new resource record type corresponding to the received resource record type, but matching or corresponding to the request's resource record type format (e.g., an IPv6 AAAA resource record type with IPv4 A resource record network address included therein).

The flow then proceeds to step312 where the new created response (e.g., the synthesized AAAA resource record) including the new resource record type is signed bytraffic management device110 in compliance with DNSSEC. In this scenario, when a new signature (e.g., a new RRSIG) is attached dynamically in real-time (or, “on-the-fly”) by thetraffic management device110 to the new created IPv6 AAAA resource record type, the older signature corresponding to the IPv4 A resource record type response is discarded by the traffic management device since it is no more valid. By way of example only, and as discussed above, the signing of the synthesized resource record can be performed byvalidation module208 using keys stored in the traffic management device110 (e.g., in host memory22), although other techniques for signing may be used. As a result, the signed AAAA resource record, although synthesized attraffic management device110, maintains the chain of trust required by DNSSEC and is not rejected as invalid by additional downstream validators before reaching the requesting one of theclient devices110.

In step314, the signed synthesized AAAA resource record is then forwarded to the requesting one of client computers104(1)-104(n) as a response. It is to be noted although in this example IPv6 AAAA resource record is being referred to as the resource record type requested by the client computers104(1)-104(n), the examples disclosed herein are equally valid for other resource record types, as long as the servers102(1)-102(n) provide a response that is a different type of resource record which needs validation or conversion by synthesis to be of same resource record type as requested by client computers104(1)-104(n), which is then validated, for example, by attaching a signature at thetraffic management device110.

Having thus described the basic concepts, it will be rather apparent to those skilled in the art that the foregoing detailed disclosure is intended to be presented by way of example only and is not limiting. Various alterations, improvements, and modifications will occur and are intended to those skilled in the art, though not expressly stated herein. The order that the measures and processes for providing secure application delivery are implemented can also be altered. Furthermore, multiple networks in addition tonetwork112 andLAN114 could be associated withtraffic management device110 from/to which network packets can be received/transmitted, respectively. These alterations, improvements, and modifications are intended to be suggested by this disclosure, and are within the spirit and scope of the examples. Additionally, the recited order of processing elements or sequences, or the use of numbers, letters, or other designations therefore, is not intended to limit the claimed processes and methods to any order except as can be specified in the claims.

Claims

1. A method for handling requests between different resource record types, comprising:

receiving at a traffic management device a first resource record type from one or more server devices in response to a request from a client device;

validating at the traffic management device the first resource record type;

creating at the traffic management device a second resource record type corresponding to the first resource record type after the validating; and

signing at the traffic management device the second resource record type for servicing the request from the client device.

2. The method as set forth inclaim 1, wherein the receiving comprises receiving a signature associated with the first resource record type, and wherein the signature is used for the validating.

3. The method as set forth in1, wherein the validating is performed using public key cryptography.

4. The method as set forth inclaim 1, wherein the first resource record type is a 32 bit Internet Protocol version 4 (IPv4) A resource record type and the second resource record type is a 128 bit Internet Protocol version 6 (IPv6) AAAA resource record type.

5. The method as set forth inclaim 4, wherein the request from the client device is an IPv6 request.

6. The method as set forth inclaim 5 further comprising:

determining at the traffic management device whether the one or more server devices can directly provide a signed IPv6 resource record type in response to the IPv6 request, wherein the receiving, the validating, the creating, and the signing are performed only when the one or more server device cannot provide an IPv6 resource record type in response to the IPv6 request from the client device.

7. The method as set forth inclaim 1, wherein a signature used for validating the first resource record type is discarded after the validating, and wherein the signing comprises attaching a new signature to the second resource record type prior to forwarding the signed second resource record type to the client device.

8. A computer readable medium having stored thereon instructions for handling requests between different resource record types comprising machine executable code which when executed by at least one processor, causes the processor to perform steps comprising:

validating at the traffic management device the first resource record type;

9. The medium as set forth inclaim 8, wherein the receiving comprises receiving a signature associated with the first resource record type, and wherein the signature is used for the validating.

10. The medium as set forth in8, wherein the validating is performed using public key cryptography.

11. The medium as set forth inclaim 8, wherein the first resource record type is a 32 bit Internet Protocol version 4 (IPv4) A resource record type and the second resource record type is a 128 bit Internet Protocol version 6 (IPv6) AAAA resource record type.

12. The medium as set forth inclaim 11, wherein the request from the client device is an IPv6 request.

13. The medium as set forth inclaim 12, wherein the machine executable code which when executed by the at least one processor, causes the processor to perform steps further comprising:

14. The medium as set forth inclaim 8, wherein a signature used for validating the first resource record type is discarded after the validating, and wherein the signing comprises attaching a new signature to the second resource record type prior to forwarding the signed second resource record type to the client device.

15. A traffic management device comprising:

one or more processors;

a memory coupled to the one or more processors by a bus; and

a network interface controller coupled to the one or more processors and the memory and configured to be capable of receiving and forwarding data packets from a network that relate to a plurality of applications,

at least one of the one or more processors configured to execute programmed instructions stored in the memory and the network interface controller with logic configured to implement:

validating at the traffic management device the first resource record type;

16. The device as set forth inclaim 15, wherein the receiving comprises receiving a signature associated with the first resource record type, and wherein the signature is used for the validating.

17. The device as set forth in15, wherein the validating is performed using public key cryptography.

18. The device as set forth inclaim 15, wherein the first resource record type is a 32 bit Internet Protocol version 4 (IPv4) A resource record type and the second resource record type is a 128 bit Internet Protocol version 6 (IPv6) AAAA resource record type.

19. The device as set forth inclaim 18, wherein the request from the client device is an IPv6 request.

20. The device as set forth inclaim 19, wherein the at least one of the one or more processors configured to execute programmed instructions stored in the memory and the network interface controller with logic configured to further implement:

21. The device as set forth inclaim 15, wherein a signature used for validating the first resource record type is discarded after the validating, and wherein the signing comprises attaching a new signature to the second resource record type prior to forwarding the signed second resource record type to the client device.